SQL Server | Databases | Security | Privacy | Technology

National Cyber Security Awareness Month – Low Hanging Fruit

Since 2004 the Department of Homeland Security has organized October as National Cyber Security Awareness Month. The goal is to promote cyber security to help keep Americans safe online. Fast forward 14 years and the security landscape has only become more dangerous. More opportunities exist for online abuses than ever before. The proliferation of internet connected devices that comprise the IOT creates additional attack surfaces which often have security as an afterthought instead of baked into the design.

Today I want to focus on the low hanging fruit i.e. the easy wins we can achieve to significantly improve our online safety and security. Read on to see the simple things most people can do to improve their situation.

STOP.THINK.CONNECT.

This slogan is meant to promote taking security precautions, understanding the consequences of your online actions, and safely enjoying the Internet. More and more of our lives are influenced by digital things. As this influence grows it becomes more and more important to learn this critical skill. It isn’t as hard as you think. You don’t need to have a PhD, be a math wizard, or have some secret special skill.

Security is best conducted with a layered approach. There is no silver bullet when it comes to online security. While there is no one simple thing we can do to be safe online, there is great benefit to having a small array of simple things that make you more secure. Let’s have a look at a general list of the low hanging fruit available to us that, when implemented, significantly reduce the probability of you becoming a target or victim.

TL;DR Summary of Security Tips

Our goal here is to secure ourselves with simple quick methods. Protecting against the easiest and most common exploits can be done. Here is a summary of some quick wins we can use to take away that low hanging fruit.

Keep all your devices up to date with the latest security patches

Use and keep your anti virus updated

Do not click on every email attachment – learn to spot a phish

Choose strong passwords that you do not reuse – consider a password manager

Do not reply honestly to security questions – they should be as strong as your password

Use Multi Factor Authentication everywhere you can

Home router has a strong password with connected insecure devices on a separate network

Use VPN especially when using public WiFi connections

Do not disclose your location to everyone

Social media uses you as a product for their business. Be careful about how much information you choose to share because it never goes away.

By following these 10 tips you will be more secure than most other people. Well if you are not yet convinced allow me to explain…

Computer System Security Basics

I have broken up the security tips into several broad categories:

Email

Passwords

Network

Location

Social Media

In general there are many simple small things that you can do which, when added up, create a security perimeter you otherwise would not have had.

Install Security Updates

Do not ignore updates from your operating system, applications, phone, etc. Many updates are almost entirely security fixes rather than feature enhancements. Install them everywhere and as soon as you can. I know people who like to snooze updates, if allowed, for as long as they can. I have seen months and years piled up. When you understand that these security patches and updates are patching a security hole that is well known and has been exploited in the wild you will see the urgency of applying security updates to your devices.

Update your devices everywhere and all the time!

Anti Virus

If you don’t have an AV solution then go get one. If you don’t want to pay there are some free options available. One such example is the Avast Free AV. Just as you would protect yourself from devastating illness by vaccination, the same principle applies here to AV.

Remember: not updating your AV is the same as not having AV

Disable Guest Accounts

Many systems have a “guest account” by default. This is a way to access the machine with limited rights with no password. The problem is that it is easy to exploit and elevate your privileges. Where ever you can please disable the guest logon account.

The problem with guest accounts is that we have no way of identifying or authenticating what this user is doing.

Hard Drive Disposal

When you are ready to sell or throw away / recycle your hard disk it is important to know that your data is still on it. Even if you format the drive it is still there – just not accessible to the OS. Therefore it is imperative that you “zero out” the disk (this means writing zeroes in every sector over the previous contents).

Properly erase all of your data before getting rid of a hard disk

There are paid and free alternatives out there. One such free option is DBAN. Of course if you don’t want to go through the software process of wiping the disk you can always resort the physical mutilation.

Email Security

Two simple things can greatly reduce the chances you are compromised via email:

Do not click on strange attachments

Learn to spot a phish

Don’t Become Attached to Attachments

I know it is tempting to click on every button you can. I also know it can be a mindless action. However, it is important to exercise caution with email attachments. They can be labeled as something that appears benign but truly be a malicious program.

Open attachments from known and trusted sources only!

Phishing Expeditions

Just as someone might disguise their appearance to not be seen or appear as someone else, emails can be disguised and impersonated to appear harmless all the while carrying a nefarious payload. The goal of phishing is to obtain confidential and sensitive information from you. This can be your credit card number / expiration date / security code, bank account number, DOB, address, SSN, password, etc.

Phishing is the online version of street hustling people for “gas money” because they ” broke down” or need bus fare to get home.

Phishing emails masquerade as genuine “trusted” messages. A popular example that you may have seen are emails that purport to be your bank. They take you to a fake login page, ask you for your credentials, record them and redirect you to the actual bank login (or just fail the process). Now they have your credentials and you may not even know!

Passwords

This is one of the most important ways you can secure and protect your online activities. Many people neglect to have a strong password. Here are some tips:

Choose a strong password

Use a different password for each login

Change your password from time to time.

A strong password is one that is > 8 characters containing alphabet characters (upper/lower if case sensitive), integers, and some special characters. This password should not be a word or permutation that might be found in any dictionary. My favorite illustration of picking a strong password is by the comic xkcd. This example shows why a password like “CorrectHorseBatteryStaple” is a better password than most others.

NOTE: please don’t make your password be CorrectHorseBatteryStaple

Consider a password management system. I have engaged in several online debates with people about the advantage of using a password management system. The most compelling reason against using them is that your passwords are now all in one location and if the master password is known then everything is compromised. My retort to that – Fort Knox is also a single point of failure but you don’t see people suggesting we just keep gold under our beds. The pros outweigh the cons so please use a password manager.

Don’t reuse logins. It only makes things worse. Changing your password doesn’t have to be frequent – maybe every 6 months or year will suffice.

Cracking Your Password

The truth is that most people are terrible at choosing strong passwords. Our brains are not equipped to memorize long complex strings for every single account. Therefore people often resort to choosing something simple enough to remember and using it everywhere.

How does the adversary get your password?

Brute force dictionary attacks

Social Engineering

Social Media

Guessing

Brute Force Dictionary Attacks

The traditional method for getting your password is brute force dictionary attacks. This involves an automated process that connects and tries every word in the dictionary. They are automated rapid password attempts based on the dictionary of words. They are quite advance today and include permutations (l33t$p3@k). Given enough time and computing resources they will eventually get in.

The internet security firm SplashData publishes a yearly list of the top 25 most common passwords. PasswordRandom.com keeps a list of the most common passwords. Look at the list and if you are using any of these (or something like them) please change your password to something stronger.

Social Engineering

Social engineering is used a lot to get information out of people that, when combined together, gives a window into what their password might be. Think about that person who names their password after their pets name with a number. Now think of how easy it would be to learn their pets name.

Social Media

Social media is a giant repository of personal information from a trusted source – you! One of the reasons it is so valuable is because it comes from an authentic source rather than derived elsewhere. Share as many cat photos as you want but maybe try and limit the superfluous personal information you share that can compromise your passwords. This becomes more pronounced if you are using simple honest answers to security questions.

Guessing

See that list above with the most common passwords? Simply guessing patterns like those can gain unauthorized account to an account. Don’t be a victim!

Security Questions

Many sites have a mechanism that helps people who have forgotten their password. It involves asking you a set of questions that are easy to answer that you can plug in to verify your identity and reset your password. The bad guys will look for the easiest way to gain access. Password security questions are a vulnerable target.

Consider you have a strong password; however, you choose basic and honest answers to your security questions. Anyone can then try to logon as you, click “I forgot my password” and guess at your security questions. These are often much easier to guess than your password. Now they have access to your data.

Multi Factor Authentication

Use 2 factor authentication wherever you can. Gmail, Dropbox, banks, insurance, and many other places offer it. It is free and an easy way to protect your accounts. Instead of having a password to access your account the system will prompt you for additional information like a code text to your phone or an email with a code to enter.

This makes it much harder for someone to get your credentials because now they need >1 thing. This is so powerful – even if you have a terrible password your security position can be greatly improved by using MFA.

Network Communications

abstract three dimensional representation of cyberspace and the internet (Image / License)

Make sure you keep a strong password on your router. This is protecting entry to your local area network LAN and everything on it. If you want to keep the guest account open that is fine – it will only allow internet access and not to any of your devices. If you have IOT devices then consider putting them on a separate network. Modern routers make this quite easy.

VPN

Virtual Private Network is a critical part of your online security. Basically is it software you install to your computer or phone that connects to their network and then passes your traffic to the destination you intend. They are exceedingly cheap (some free options) and remarkably easy to use.

Especially for travelers, having a VPN is invaluable when staying at a hotel and using WiFi, sitting in Starbucks working, passing time at the airport, or any public internet connection. I know people who have had their identity stolen on hotel WiFi. If they had used a VPN this would not have happened.

Location

You can tell a lot about someone by just tracking their location. Assume I knew nothing about you. The only bit of information I had was your current location. Sounds innocent, right? Well consider all the information I can easily discern about you and identify you. I know where you live because I can tell your location when you sleep – likely your house. I know where you work because of your location between 9-5, I know where you frequent and I know where your mistress, drug dealer, or controversial gathering is and can surmise the participants.

Refuse to offer applications and web sites tracking information to your location. Say no every time. There have been studies that show just how easy it is to identify someone by innocuous data. Imagine knowing a zip code, DOB, sex, and possibly the first character of their first or last name. You might be surprised at how powerful identifying someone from this data is.

Social Media

Remember that your social media presence is either available to absolutely anyone or can be easily obtained. That is the business model of these companies. Why do you think Gmail is free? Why do you think Google will raise all alarms to bring and outage back up ASAP for non-paying users? Their entire business is surveillance and you are providing them with first hand data.

If you are not paying for the product, then you are the product.

I’m not saying you should delete Facebook (although that might be a good idea) or scrub all social media presence, but rather to be careful about transmitting too much information.

Younger people should especially be guarded against putting too much information out there. The Internet is written in ink and once published can never really be taken down. It might seem fun while you are in high school or college but as you grow up this frivolity becomes more of a pain. Do you want something you said or did 35 years ago to be taken out of context and used against you? It sounds ridiculous but it in the current age happens on the regular.

Do you want to live in a world where everything you say, write, and do is recorded?

Instant Messaging

For instant messaging you should consider anything from Open Whisper Systems – in particular Signal. It encrypts your chat messages end to end and unlike WhatsApp does not have the reservations that come from being owned by Facebook.

If you don’t already use Signal then you really should!

And After All This

By following the above precepts you will have a superior online security perimeter than those who neglect them. Enjoy the awesomeness of the Internet and stay safe!